mirror of
https://github.com/tailscale/tailscale.git
synced 2024-11-26 19:45:35 +00:00
7b34154df2
First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
883 lines
23 KiB
Go
883 lines
23 KiB
Go
// Copyright (c) Tailscale Inc & AUTHORS
|
||
// SPDX-License-Identifier: BSD-3-Clause
|
||
|
||
package ipnlocal
|
||
|
||
import (
|
||
"bytes"
|
||
"context"
|
||
"encoding/json"
|
||
"fmt"
|
||
"io"
|
||
"io/fs"
|
||
"math/rand"
|
||
"net/http"
|
||
"net/http/httptest"
|
||
"net/netip"
|
||
"os"
|
||
"path/filepath"
|
||
"slices"
|
||
"strings"
|
||
"testing"
|
||
|
||
"github.com/google/go-cmp/cmp"
|
||
"go4.org/netipx"
|
||
"golang.org/x/net/dns/dnsmessage"
|
||
"tailscale.com/appc"
|
||
"tailscale.com/appc/appctest"
|
||
"tailscale.com/client/tailscale/apitype"
|
||
"tailscale.com/ipn"
|
||
"tailscale.com/ipn/store/mem"
|
||
"tailscale.com/tailcfg"
|
||
"tailscale.com/taildrop"
|
||
"tailscale.com/tstest"
|
||
"tailscale.com/types/logger"
|
||
"tailscale.com/types/netmap"
|
||
"tailscale.com/util/must"
|
||
"tailscale.com/wgengine"
|
||
"tailscale.com/wgengine/filter"
|
||
)
|
||
|
||
type peerAPITestEnv struct {
|
||
ph *peerAPIHandler
|
||
rr *httptest.ResponseRecorder
|
||
logBuf tstest.MemLogger
|
||
}
|
||
|
||
type check func(*testing.T, *peerAPITestEnv)
|
||
|
||
func checks(vv ...check) []check { return vv }
|
||
|
||
func httpStatus(wantStatus int) check {
|
||
return func(t *testing.T, e *peerAPITestEnv) {
|
||
if res := e.rr.Result(); res.StatusCode != wantStatus {
|
||
t.Errorf("HTTP response code = %v; want %v", res.Status, wantStatus)
|
||
}
|
||
}
|
||
}
|
||
|
||
func bodyContains(sub string) check {
|
||
return func(t *testing.T, e *peerAPITestEnv) {
|
||
if body := e.rr.Body.String(); !strings.Contains(body, sub) {
|
||
t.Errorf("HTTP response body does not contain %q; got: %s", sub, body)
|
||
}
|
||
}
|
||
}
|
||
|
||
func bodyNotContains(sub string) check {
|
||
return func(t *testing.T, e *peerAPITestEnv) {
|
||
if body := e.rr.Body.String(); strings.Contains(body, sub) {
|
||
t.Errorf("HTTP response body unexpectedly contains %q; got: %s", sub, body)
|
||
}
|
||
}
|
||
}
|
||
|
||
func fileHasSize(name string, size int) check {
|
||
return func(t *testing.T, e *peerAPITestEnv) {
|
||
root := e.ph.ps.taildrop.Dir()
|
||
if root == "" {
|
||
t.Errorf("no rootdir; can't check whether %q has size %v", name, size)
|
||
return
|
||
}
|
||
path := filepath.Join(root, name)
|
||
if fi, err := os.Stat(path); err != nil {
|
||
t.Errorf("fileHasSize(%q, %v): %v", name, size, err)
|
||
} else if fi.Size() != int64(size) {
|
||
t.Errorf("file %q has size %v; want %v", name, fi.Size(), size)
|
||
}
|
||
}
|
||
}
|
||
|
||
func fileHasContents(name string, want string) check {
|
||
return func(t *testing.T, e *peerAPITestEnv) {
|
||
root := e.ph.ps.taildrop.Dir()
|
||
if root == "" {
|
||
t.Errorf("no rootdir; can't check contents of %q", name)
|
||
return
|
||
}
|
||
path := filepath.Join(root, name)
|
||
got, err := os.ReadFile(path)
|
||
if err != nil {
|
||
t.Errorf("fileHasContents: %v", err)
|
||
return
|
||
}
|
||
if string(got) != want {
|
||
t.Errorf("file contents = %q; want %q", got, want)
|
||
}
|
||
}
|
||
}
|
||
|
||
func hexAll(v string) string {
|
||
var sb strings.Builder
|
||
for i := 0; i < len(v); i++ {
|
||
fmt.Fprintf(&sb, "%%%02x", v[i])
|
||
}
|
||
return sb.String()
|
||
}
|
||
|
||
func TestHandlePeerAPI(t *testing.T) {
|
||
tests := []struct {
|
||
name string
|
||
isSelf bool // the peer sending the request is owned by us
|
||
capSharing bool // self node has file sharing capability
|
||
debugCap bool // self node has debug capability
|
||
omitRoot bool // don't configure
|
||
reqs []*http.Request
|
||
checks []check
|
||
}{
|
||
{
|
||
name: "not_peer_api",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "/", nil)},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("This is my Tailscale device."),
|
||
bodyContains("You are the owner of this node."),
|
||
),
|
||
},
|
||
{
|
||
name: "not_peer_api_not_owner",
|
||
isSelf: false,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "/", nil)},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("This is my Tailscale device."),
|
||
bodyNotContains("You are the owner of this node."),
|
||
),
|
||
},
|
||
{
|
||
name: "goroutines/deny-self-no-cap",
|
||
isSelf: true,
|
||
debugCap: false,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "/v0/goroutines", nil)},
|
||
checks: checks(httpStatus(403)),
|
||
},
|
||
{
|
||
name: "goroutines/deny-nonself",
|
||
isSelf: false,
|
||
debugCap: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "/v0/goroutines", nil)},
|
||
checks: checks(httpStatus(403)),
|
||
},
|
||
{
|
||
name: "goroutines/accept-self",
|
||
isSelf: true,
|
||
debugCap: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "/v0/goroutines", nil)},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("ServeHTTP"),
|
||
),
|
||
},
|
||
{
|
||
name: "reject_non_owner_put",
|
||
isSelf: false,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
|
||
checks: checks(
|
||
httpStatus(http.StatusForbidden),
|
||
bodyContains("Taildrop disabled"),
|
||
),
|
||
},
|
||
{
|
||
name: "owner_without_cap",
|
||
isSelf: true,
|
||
capSharing: false,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
|
||
checks: checks(
|
||
httpStatus(http.StatusForbidden),
|
||
bodyContains("Taildrop disabled"),
|
||
),
|
||
},
|
||
{
|
||
name: "owner_with_cap_no_rootdir",
|
||
omitRoot: true,
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
|
||
checks: checks(
|
||
httpStatus(http.StatusForbidden),
|
||
bodyContains("Taildrop disabled; no storage directory"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_method",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("POST", "/v0/put/foo", nil)},
|
||
checks: checks(
|
||
httpStatus(405),
|
||
bodyContains("expected method GET or PUT"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_zero_length",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", nil)},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("{}"),
|
||
fileHasSize("foo", 0),
|
||
fileHasContents("foo", ""),
|
||
),
|
||
},
|
||
{
|
||
name: "put_non_zero_length_content_length",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents"))},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("{}"),
|
||
fileHasSize("foo", len("contents")),
|
||
fileHasContents("foo", "contents"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_non_zero_length_chunked",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo", struct{ io.Reader }{strings.NewReader("contents")})},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("{}"),
|
||
fileHasSize("foo", len("contents")),
|
||
fileHasContents("foo", "contents"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_partial",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo.partial", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_deleted",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo.deleted", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_dot",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/.", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_empty",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_slash",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/foo/bar", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_encoded_dot",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("."), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_encoded_slash",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("/"), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_encoded_backslash",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("\\"), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_encoded_dotdot",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll(".."), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "bad_filename_encoded_dotdot_out",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("foo/../../../../../etc/passwd"), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_spaces_and_caps",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("Foo Bar.dat"), strings.NewReader("baz"))},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("{}"),
|
||
fileHasContents("Foo Bar.dat", "baz"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_unicode",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("Томас и его друзья.mp3"), strings.NewReader("главный озорник"))},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
bodyContains("{}"),
|
||
fileHasContents("Томас и его друзья.mp3", "главный озорник"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_invalid_utf8",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+(hexAll("😜")[:3]), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_invalid_null",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/%00", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_invalid_non_printable",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/%01", nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_invalid_colon",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll("nul:"), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "put_invalid_surrounding_whitespace",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{httptest.NewRequest("PUT", "/v0/put/"+hexAll(" foo "), nil)},
|
||
checks: checks(
|
||
httpStatus(400),
|
||
bodyContains("invalid filename"),
|
||
),
|
||
},
|
||
{
|
||
name: "host-val/bad-ip",
|
||
isSelf: true,
|
||
debugCap: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "http://12.23.45.66:1234/v0/env", nil)},
|
||
checks: checks(
|
||
httpStatus(403),
|
||
),
|
||
},
|
||
{
|
||
name: "host-val/no-port",
|
||
isSelf: true,
|
||
debugCap: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "http://100.100.100.101/v0/env", nil)},
|
||
checks: checks(
|
||
httpStatus(403),
|
||
),
|
||
},
|
||
{
|
||
name: "host-val/peer",
|
||
isSelf: true,
|
||
debugCap: true,
|
||
reqs: []*http.Request{httptest.NewRequest("GET", "http://peer/v0/env", nil)},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
),
|
||
},
|
||
{
|
||
name: "duplicate_zero_length",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{
|
||
httptest.NewRequest("PUT", "/v0/put/foo", nil),
|
||
httptest.NewRequest("PUT", "/v0/put/foo", nil),
|
||
},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
func(t *testing.T, env *peerAPITestEnv) {
|
||
got, err := env.ph.ps.taildrop.WaitingFiles()
|
||
if err != nil {
|
||
t.Fatalf("WaitingFiles error: %v", err)
|
||
}
|
||
want := []apitype.WaitingFile{{Name: "foo", Size: 0}}
|
||
if diff := cmp.Diff(got, want); diff != "" {
|
||
t.Fatalf("WaitingFile mismatch (-got +want):\n%s", diff)
|
||
}
|
||
},
|
||
),
|
||
},
|
||
{
|
||
name: "duplicate_non_zero_length_content_length",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{
|
||
httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents")),
|
||
httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("contents")),
|
||
},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
func(t *testing.T, env *peerAPITestEnv) {
|
||
got, err := env.ph.ps.taildrop.WaitingFiles()
|
||
if err != nil {
|
||
t.Fatalf("WaitingFiles error: %v", err)
|
||
}
|
||
want := []apitype.WaitingFile{{Name: "foo", Size: 8}}
|
||
if diff := cmp.Diff(got, want); diff != "" {
|
||
t.Fatalf("WaitingFile mismatch (-got +want):\n%s", diff)
|
||
}
|
||
},
|
||
),
|
||
},
|
||
{
|
||
name: "duplicate_different_files",
|
||
isSelf: true,
|
||
capSharing: true,
|
||
reqs: []*http.Request{
|
||
httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("fizz")),
|
||
httptest.NewRequest("PUT", "/v0/put/foo", strings.NewReader("buzz")),
|
||
},
|
||
checks: checks(
|
||
httpStatus(200),
|
||
func(t *testing.T, env *peerAPITestEnv) {
|
||
got, err := env.ph.ps.taildrop.WaitingFiles()
|
||
if err != nil {
|
||
t.Fatalf("WaitingFiles error: %v", err)
|
||
}
|
||
want := []apitype.WaitingFile{{Name: "foo", Size: 4}, {Name: "foo (1)", Size: 4}}
|
||
if diff := cmp.Diff(got, want); diff != "" {
|
||
t.Fatalf("WaitingFile mismatch (-got +want):\n%s", diff)
|
||
}
|
||
},
|
||
),
|
||
},
|
||
}
|
||
for _, tt := range tests {
|
||
t.Run(tt.name, func(t *testing.T) {
|
||
selfNode := &tailcfg.Node{
|
||
Addresses: []netip.Prefix{
|
||
netip.MustParsePrefix("100.100.100.101/32"),
|
||
},
|
||
}
|
||
if tt.debugCap {
|
||
selfNode.CapMap = tailcfg.NodeCapMap{tailcfg.CapabilityDebug: nil}
|
||
}
|
||
var e peerAPITestEnv
|
||
lb := &LocalBackend{
|
||
logf: e.logBuf.Logf,
|
||
capFileSharing: tt.capSharing,
|
||
netMap: &netmap.NetworkMap{SelfNode: selfNode.View()},
|
||
clock: &tstest.Clock{},
|
||
}
|
||
e.ph = &peerAPIHandler{
|
||
isSelf: tt.isSelf,
|
||
selfNode: selfNode.View(),
|
||
peerNode: (&tailcfg.Node{
|
||
ComputedName: "some-peer-name",
|
||
}).View(),
|
||
ps: &peerAPIServer{
|
||
b: lb,
|
||
},
|
||
}
|
||
var rootDir string
|
||
if !tt.omitRoot {
|
||
rootDir = t.TempDir()
|
||
if e.ph.ps.taildrop == nil {
|
||
e.ph.ps.taildrop = taildrop.ManagerOptions{
|
||
Logf: e.logBuf.Logf,
|
||
Dir: rootDir,
|
||
}.New()
|
||
}
|
||
}
|
||
for _, req := range tt.reqs {
|
||
e.rr = httptest.NewRecorder()
|
||
if req.Host == "example.com" {
|
||
req.Host = "100.100.100.101:12345"
|
||
}
|
||
e.ph.ServeHTTP(e.rr, req)
|
||
}
|
||
for _, f := range tt.checks {
|
||
f(t, &e)
|
||
}
|
||
if t.Failed() && rootDir != "" {
|
||
t.Logf("Contents of %s:", rootDir)
|
||
des, _ := fs.ReadDir(os.DirFS(rootDir), ".")
|
||
for _, de := range des {
|
||
fi, err := de.Info()
|
||
if err != nil {
|
||
t.Log(err)
|
||
} else {
|
||
t.Logf(" %v %5d %s", fi.Mode(), fi.Size(), de.Name())
|
||
}
|
||
}
|
||
}
|
||
})
|
||
}
|
||
}
|
||
|
||
// Windows likes to hold on to file descriptors for some indeterminate
|
||
// amount of time after you close them and not let you delete them for
|
||
// a bit. So test that we work around that sufficiently.
|
||
func TestFileDeleteRace(t *testing.T) {
|
||
dir := t.TempDir()
|
||
ps := &peerAPIServer{
|
||
b: &LocalBackend{
|
||
logf: t.Logf,
|
||
capFileSharing: true,
|
||
clock: &tstest.Clock{},
|
||
},
|
||
taildrop: taildrop.ManagerOptions{
|
||
Logf: t.Logf,
|
||
Dir: dir,
|
||
}.New(),
|
||
}
|
||
ph := &peerAPIHandler{
|
||
isSelf: true,
|
||
peerNode: (&tailcfg.Node{
|
||
ComputedName: "some-peer-name",
|
||
}).View(),
|
||
selfNode: (&tailcfg.Node{
|
||
Addresses: []netip.Prefix{netip.MustParsePrefix("100.100.100.101/32")},
|
||
}).View(),
|
||
ps: ps,
|
||
}
|
||
buf := make([]byte, 2<<20)
|
||
for i := 0; i < 30; i++ {
|
||
rr := httptest.NewRecorder()
|
||
ph.ServeHTTP(rr, httptest.NewRequest("PUT", "http://100.100.100.101:123/v0/put/foo.txt", bytes.NewReader(buf[:rand.Intn(len(buf))])))
|
||
if res := rr.Result(); res.StatusCode != 200 {
|
||
t.Fatal(res.Status)
|
||
}
|
||
wfs, err := ps.taildrop.WaitingFiles()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(wfs) != 1 {
|
||
t.Fatalf("waiting files = %d; want 1", len(wfs))
|
||
}
|
||
|
||
if err := ps.taildrop.DeleteFile("foo.txt"); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
wfs, err = ps.taildrop.WaitingFiles()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(wfs) != 0 {
|
||
t.Fatalf("waiting files = %d; want 0", len(wfs))
|
||
}
|
||
}
|
||
}
|
||
|
||
func TestPeerAPIReplyToDNSQueries(t *testing.T) {
|
||
var h peerAPIHandler
|
||
|
||
h.isSelf = true
|
||
if !h.replyToDNSQueries() {
|
||
t.Errorf("for isSelf = false; want true")
|
||
}
|
||
h.isSelf = false
|
||
h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
|
||
|
||
eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
|
||
pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
|
||
h.ps = &peerAPIServer{
|
||
b: &LocalBackend{
|
||
e: eng,
|
||
pm: pm,
|
||
store: pm.Store(),
|
||
},
|
||
}
|
||
if h.ps.b.OfferingExitNode() {
|
||
t.Fatal("unexpectedly offering exit node")
|
||
}
|
||
h.ps.b.pm.SetPrefs((&ipn.Prefs{
|
||
AdvertiseRoutes: []netip.Prefix{
|
||
netip.MustParsePrefix("0.0.0.0/0"),
|
||
netip.MustParsePrefix("::/0"),
|
||
},
|
||
}).View(), ipn.NetworkProfile{})
|
||
if !h.ps.b.OfferingExitNode() {
|
||
t.Fatal("unexpectedly not offering exit node")
|
||
}
|
||
|
||
if h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly doing DNS without filter")
|
||
}
|
||
|
||
h.ps.b.setFilter(filter.NewAllowNone(logger.Discard, new(netipx.IPSet)))
|
||
if h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly doing DNS without filter")
|
||
}
|
||
|
||
f := filter.NewAllowAllForTest(logger.Discard)
|
||
|
||
h.ps.b.setFilter(f)
|
||
if !h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly deny; wanted to be a DNS server")
|
||
}
|
||
|
||
// Also test IPv6.
|
||
h.remoteAddr = netip.MustParseAddrPort("[fe70::1]:12345")
|
||
if !h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly IPv6 deny; wanted to be a DNS server")
|
||
}
|
||
}
|
||
|
||
func TestPeerAPIPrettyReplyCNAME(t *testing.T) {
|
||
var h peerAPIHandler
|
||
h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
|
||
|
||
eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
|
||
pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
|
||
h.ps = &peerAPIServer{
|
||
b: &LocalBackend{
|
||
e: eng,
|
||
pm: pm,
|
||
store: pm.Store(),
|
||
// configure as an app connector just to enable the API.
|
||
appConnector: appc.NewAppConnector(t.Logf, &appctest.RouteCollector{}),
|
||
},
|
||
}
|
||
|
||
h.ps.resolver = &fakeResolver{build: func(b *dnsmessage.Builder) {
|
||
b.CNAMEResource(
|
||
dnsmessage.ResourceHeader{
|
||
Name: dnsmessage.MustNewName("www.example.com."),
|
||
Type: dnsmessage.TypeCNAME,
|
||
Class: dnsmessage.ClassINET,
|
||
TTL: 0,
|
||
},
|
||
dnsmessage.CNAMEResource{
|
||
CNAME: dnsmessage.MustNewName("example.com."),
|
||
},
|
||
)
|
||
b.AResource(
|
||
dnsmessage.ResourceHeader{
|
||
Name: dnsmessage.MustNewName("example.com."),
|
||
Type: dnsmessage.TypeA,
|
||
Class: dnsmessage.ClassINET,
|
||
TTL: 0,
|
||
},
|
||
dnsmessage.AResource{
|
||
A: [4]byte{192, 0, 0, 8},
|
||
},
|
||
)
|
||
}}
|
||
f := filter.NewAllowAllForTest(logger.Discard)
|
||
h.ps.b.setFilter(f)
|
||
|
||
if !h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly deny; wanted to be a DNS server")
|
||
}
|
||
|
||
w := httptest.NewRecorder()
|
||
h.handleDNSQuery(w, httptest.NewRequest("GET", "/dns-query?q=www.example.com.", nil))
|
||
if w.Code != http.StatusOK {
|
||
t.Errorf("unexpected status code: %v", w.Code)
|
||
}
|
||
var addrs []string
|
||
json.NewDecoder(w.Body).Decode(&addrs)
|
||
if len(addrs) == 0 {
|
||
t.Fatalf("no addresses returned")
|
||
}
|
||
for _, addr := range addrs {
|
||
netip.MustParseAddr(addr)
|
||
}
|
||
}
|
||
|
||
func TestPeerAPIReplyToDNSQueriesAreObserved(t *testing.T) {
|
||
ctx := context.Background()
|
||
var h peerAPIHandler
|
||
h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
|
||
|
||
rc := &appctest.RouteCollector{}
|
||
eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
|
||
pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
|
||
h.ps = &peerAPIServer{
|
||
b: &LocalBackend{
|
||
e: eng,
|
||
pm: pm,
|
||
store: pm.Store(),
|
||
appConnector: appc.NewAppConnector(t.Logf, rc),
|
||
},
|
||
}
|
||
h.ps.b.appConnector.UpdateDomains([]string{"example.com"})
|
||
h.ps.b.appConnector.Wait(ctx)
|
||
|
||
h.ps.resolver = &fakeResolver{build: func(b *dnsmessage.Builder) {
|
||
b.AResource(
|
||
dnsmessage.ResourceHeader{
|
||
Name: dnsmessage.MustNewName("example.com."),
|
||
Type: dnsmessage.TypeA,
|
||
Class: dnsmessage.ClassINET,
|
||
TTL: 0,
|
||
},
|
||
dnsmessage.AResource{
|
||
A: [4]byte{192, 0, 0, 8},
|
||
},
|
||
)
|
||
}}
|
||
f := filter.NewAllowAllForTest(logger.Discard)
|
||
h.ps.b.setFilter(f)
|
||
|
||
if !h.ps.b.OfferingAppConnector() {
|
||
t.Fatal("expecting to be offering app connector")
|
||
}
|
||
if !h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly deny; wanted to be a DNS server")
|
||
}
|
||
|
||
w := httptest.NewRecorder()
|
||
h.handleDNSQuery(w, httptest.NewRequest("GET", "/dns-query?q=example.com.", nil))
|
||
if w.Code != http.StatusOK {
|
||
t.Errorf("unexpected status code: %v", w.Code)
|
||
}
|
||
h.ps.b.appConnector.Wait(ctx)
|
||
|
||
wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
|
||
if !slices.Equal(rc.Routes(), wantRoutes) {
|
||
t.Errorf("got %v; want %v", rc.Routes(), wantRoutes)
|
||
}
|
||
}
|
||
|
||
func TestPeerAPIReplyToDNSQueriesAreObservedWithCNAMEFlattening(t *testing.T) {
|
||
ctx := context.Background()
|
||
var h peerAPIHandler
|
||
h.remoteAddr = netip.MustParseAddrPort("100.150.151.152:12345")
|
||
|
||
rc := &appctest.RouteCollector{}
|
||
eng, _ := wgengine.NewFakeUserspaceEngine(logger.Discard, 0)
|
||
pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
|
||
h.ps = &peerAPIServer{
|
||
b: &LocalBackend{
|
||
e: eng,
|
||
pm: pm,
|
||
store: pm.Store(),
|
||
appConnector: appc.NewAppConnector(t.Logf, rc),
|
||
},
|
||
}
|
||
h.ps.b.appConnector.UpdateDomains([]string{"www.example.com"})
|
||
h.ps.b.appConnector.Wait(ctx)
|
||
|
||
h.ps.resolver = &fakeResolver{build: func(b *dnsmessage.Builder) {
|
||
b.CNAMEResource(
|
||
dnsmessage.ResourceHeader{
|
||
Name: dnsmessage.MustNewName("www.example.com."),
|
||
Type: dnsmessage.TypeCNAME,
|
||
Class: dnsmessage.ClassINET,
|
||
TTL: 0,
|
||
},
|
||
dnsmessage.CNAMEResource{
|
||
CNAME: dnsmessage.MustNewName("example.com."),
|
||
},
|
||
)
|
||
b.AResource(
|
||
dnsmessage.ResourceHeader{
|
||
Name: dnsmessage.MustNewName("example.com."),
|
||
Type: dnsmessage.TypeA,
|
||
Class: dnsmessage.ClassINET,
|
||
TTL: 0,
|
||
},
|
||
dnsmessage.AResource{
|
||
A: [4]byte{192, 0, 0, 8},
|
||
},
|
||
)
|
||
}}
|
||
f := filter.NewAllowAllForTest(logger.Discard)
|
||
h.ps.b.setFilter(f)
|
||
|
||
if !h.ps.b.OfferingAppConnector() {
|
||
t.Fatal("expecting to be offering app connector")
|
||
}
|
||
if !h.replyToDNSQueries() {
|
||
t.Errorf("unexpectedly deny; wanted to be a DNS server")
|
||
}
|
||
|
||
w := httptest.NewRecorder()
|
||
h.handleDNSQuery(w, httptest.NewRequest("GET", "/dns-query?q=www.example.com.", nil))
|
||
if w.Code != http.StatusOK {
|
||
t.Errorf("unexpected status code: %v", w.Code)
|
||
}
|
||
h.ps.b.appConnector.Wait(ctx)
|
||
|
||
wantRoutes := []netip.Prefix{netip.MustParsePrefix("192.0.0.8/32")}
|
||
if !slices.Equal(rc.Routes(), wantRoutes) {
|
||
t.Errorf("got %v; want %v", rc.Routes(), wantRoutes)
|
||
}
|
||
}
|
||
|
||
type fakeResolver struct {
|
||
build func(*dnsmessage.Builder)
|
||
}
|
||
|
||
func (f *fakeResolver) HandlePeerDNSQuery(ctx context.Context, q []byte, from netip.AddrPort, allowName func(name string) bool) (res []byte, err error) {
|
||
b := dnsmessage.NewBuilder(nil, dnsmessage.Header{})
|
||
b.EnableCompression()
|
||
b.StartAnswers()
|
||
f.build(&b)
|
||
return b.Finish()
|
||
}
|